[SID: 21802] SMB Server Transaction Name BO Detected

Today was an interesting day. The UPS on the HP EVA and Blade rack decided to have an issue and Mac clients were unable to connect to SMB shares. I spent the morning engaged in trying to figure out why certain Macs were unable to connect. They would get prompted for a password… then fail to connect. After that they could not ping or do a traceroute to the SMB server. I asked the folks supporting our network switches to take a look.

Then while checking to ensure we did not have any issues with the switches from a physical standpoint (visual inspection) I noticed that the UPS supporting our blade servers and HP San was showing an error light. Reporting that issue took two and a half hours, and took me away from the Mac issue.

Upon finally being able to get my messages from the several phone calls that were missed while I was on the phone with HP. In my first message I found out that the network guys had done some packet tracing and found that the server was not responding to the Mac clients that were having the issue. This prompted me to start looking at SEP 11 to see if Symantec was causing an issue.

“Traffic from IP Address 000.00.0.000 is blocked from 10/22/2009 3:09:553 pm to 10/22/2009 3:19:53 pm.  [SID: 21802] SMB Server Transaction Name BO Detected”

1800+ messages like the one above littered the log files. The 000.00.0.000 is what it actually read; there are no protected innocent IP addresses. Did we find a Mac virus that caused problems with SMB? We did a Google search and found only and explantion of this ‘detection’.

“Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Microsoft Windows is prone to a remote denial-of-service vulnerability because the operating system fails to properly handle network traffic.

This issue is triggered by specially crafted TCP network packets with destination ports set to 445 or 139. This occurs when SMV_COM_TRANSACTION messages with a non-NULL-terminated are sent to vulnerable computers. The malformed SMB PIPE traffic causes a NULL-pointer dereference in the ‘srv.sys’ server driver, resulting in denial-of-service conditions.

This issue may cause affected computers to crash, denying service to legitimate users. Code execution is reportedly not possible, but this has not been confirmed.

Reports indicate that this issue may be currently exploited in the wild, but this has not been confirmed.”

What was odd is that not all of our Macs were affected, just the ones running 10.5.8. I have a machine running 10.6.2 and there was no issue with it. The pattern of hits on the intrusion detection started with a small number and grew throughout the day. It looked like a malware pattern, but it could have been just more users trying to connect. We decided to submit the packet captures to Symantec. While one of us were on hold with Symantec I found the following information:

“This is a known false positive. Symantec Support is asking users that are seeing this issue to open a case ASAP.”

We waited for confirmation from Symantec that it was indeed a false positive and with it confirmed took steps to mitigate the issue. I just have to love anti-virus/malware companies that have products that actually cause a denial of service attack while claiming to prevent one.

Some questions still linger:

1. Why would a OS X connection match this ‘signature’?
2. Why would OS X 10.5.8 be different from 10.6.2?

Joy!

That, my friends, is why I use Ubuntu at home.